“##ges from previously discussed. net - based methods. on october 8, 2025, trend research analysis revealed file downloads originating from whatsapp web sessions. closer examination shows that instead of employing. net binaries, the new chain leverages script - based techniques, o…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
95%
“messaging platforms for stealthy, scalable attacks. in september 2022, coyote emerged in latin america through phishing campaigns, cleverly masking malicious zip archives as resume submissions. the infection chain followed a zip archive containing a lnk file, which executed an ms…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
81%
“with the malware sorvepotel. the campaign highlighted by malicious zip files such as " res - 20250930 _ 112057. zip ". the attack now utilized modular architecture, delivering distinct payloads for whatsapp hijacking and. net - based infostealer functionality. notably, it feature…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1047Windows Management Instrumentation
78%
“sends them back to the c & c server, giving threat actors insight into success rates, victim system profiles, and lists of successfully contacted targets. this intelligence allows attackers to accurately measure campaign performance, orchestrate actions across multiple infected m…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
60%
“##bugging routines, and typosquatting domains. malware capabilities expanded to session hijacking, keylogging, automated account takeover, and dynamic phishing overlays, often mimicking legitimate user behaviors. third wave : script - based attack recent attacks leverage fileless…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
“##ware implements a wmi - based mutex mechanism to prevent multiple instances from running simultaneously. this implementation uses wmi process enumeration rather than traditional windows mutex objects, querying for wscript. exe and cscript. exe processes and checking their comma…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1555.003Credentials from Web Browsers
44%
“in c : \ temp, downloads the latest whatsapp automation library ( wa - js ) from github, and retrieves a malicious zip payload and saves it as bin. zip in c : \ temp. whatsapp web browser hijacking similar to how the previous attack chain hijacks whatsapp web browser sessions, th…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
44%
“##bugging routines, and typosquatting domains. malware capabilities expanded to session hijacking, keylogging, automated account takeover, and dynamic phishing overlays, often mimicking legitimate user behaviors. third wave : script - based attack recent attacks leverage fileless…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
44%
“, a hybrid automation phase with browser tooling, and a current script - first phase that weaponizes live whatsapp sessions. first wave : compiled banking trojan attackers initiated campaigns with phishing emails delivering zip archives containing lnk or exe files. execution chai…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1539Steal Web Session Cookie
37%
“in c : \ temp, downloads the latest whatsapp automation library ( wa - js ) from github, and retrieves a malicious zip payload and saves it as bin. zip in c : \ temp. whatsapp web browser hijacking similar to how the previous attack chain hijacks whatsapp web browser sessions, th…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1547.009Shortcut Modification
34%
“, a hybrid automation phase with browser tooling, and a current script - first phase that weaponizes live whatsapp sessions. first wave : compiled banking trojan attackers initiated campaigns with phishing emails delivering zip archives containing lnk or exe files. execution chai…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.004Malicious Copy and Paste
31%
“, a hybrid automation phase with browser tooling, and a current script - first phase that weaponizes live whatsapp sessions. first wave : compiled banking trojan attackers initiated campaigns with phishing emails delivering zip archives containing lnk or exe files. execution chai…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Continuous investigation on the Water Saci campaign reveals innovative email-based C&C system, multi-vector persistence, and real-time command capabilities that allow attackers to orchestrate coordinated botnet operations, gather detailed campaign intelligence, and dynamically control malware activity across multiple infected machines.